Quick Question - I'm looking to get much better on web application security and I'm currently doing WebGoat on a home lab.

I'm responsible for working with developers and scanning websites at my job with external vulnerability scanners.

My question is that I'm not a "developer" and would taking the GWAPT test be way too over my head? I recently passed the GCIH exam and wanted to take something that would give me a better understanding of XSS, SQL injection, etc.

You certainly don't need to be a developer to understand the material. I'm sure the courseware explains the concepts well, and if there are any items you need more information on, there are tons of free resources online.

Last edited by dynamik on Fri Feb 08, 2013 11:00 pm, edited 1 time in total.

I passed the GWAPT last year and I'm not a developer (far from it, actually, as I work on network infrastructure security for a living). SANS SEC-542 will teach you to recognize JavaScript / Python / PHP basics and the material doesn't require you to know how to code. I think the mindset helps, but if I can get through the course and manage to pass the GWAPT exam, you should be able to as well.

In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I'd consider a really advanced web app pentesting course.

SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it's rarely any critical bugs you find, it's often just user account related problems, often rated as low or medium risk. Meaning it's just "filler space" in a report.)

Anyway, yes you can do it. I'm a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn't taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it's easy when I specialize in web application security.

Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren't.

Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it's nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)

I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question.

MaXe, have you done CISSP yet (probably I guess)? If you think GPEN had funny questions, you will fall off your chair with the CISSP exam...

I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die